mod_ntlm Set Up For Apache 2,
Including Integration with
Tomcat and PHP

This document aims to assemble information from a variety of
sources in an effort to consolidate answers to the many possible
gotchas that might make for a long day of configuring
mod_ntlm for Apache 2.x. Specifically, this document deals
with mod_ntlm2.

The Obvious First Step: Install It.

Download mod_ntlm2: get either the tarball or an rpm. They are
available on
sourceforge.
I started here,
but that document does not spell out some of the pitfalls of configuration.

Assuming that you got the tarball (the extension on the sourceforge
download is .gz), unpack it with the tar command:

tar -zxvf mod_ntlm2-0.1.gz

"cd" to the newly created directory, which in the case above is
called "mod_ntlm2-0.1". Use "make" to compile the module.

make install

That should put the complied module in the right place. The module
is called "mod_ntlm.so" and it should be in the "modules" directory
for Apache. In my case, on a RedHat Enterprise 3 install, this is
/etc/httpd/modules. Check to make sure that the file is there.
(The "make install" that you did might have put it elsewhere.
The point is that when you set up httpd.conf to load the module,
you have to point it to the right place. Just make sure that you
know where the module is.)

The make that you did *might* have created the correct entries in your
httpd.conf file. Check this out by opening the file (use vi: it's good
for you). Ok ok, how about gedit for the nice fonts:

gedit /etc/httpd/conf/httpd.conf

... or wherever you have Apache installed. Search for "LoadModule ntlm_module"
and you should find the following line:

LoadModule ntlm_module modules/mod_ntlm.so

If you do not find this line, then look for "LoadModule" and add this line
after all the other LoadModule lines.

The purpose of this is to make the module available to Apache. Notice,
at this point, NTLM authentication will not actually work. You still
have to tell Apache how to use mod_ntlm.

Configure Apache To Use mod_ntlm

Apache is a pretty flexible monster, so there are many ways to
tell it how to use mod_ntlm: e.g., you can use directives in
.htaccess files or you can set it up in httpd.conf. In my case,
I want to use it always. I achieved that by adding the following
at the end of my httpd.conf file (you will need to change certain
values, as detailed below):

First off, note that if you want NTLM authentication turned on
only in certain directories, you should specify that location.
E.g., instead of "/" you might want to use "/blue" (that's my
testing place).

The Important Points Of Configuration

You will have to change a few directives in your file. First,
your NTLMDomain will be different. In my case, the domain is
called "psb" — change yours appropriately. Second,
your NTLMServer and NTLMBackup will be different. Find out
what they are called on your network and change those values
appropriately.

Here's where I got stuck! Do not use a suffix on your
NTLMServer and NTLMBackup values. For example, at first
I called mine "provident1.provident" and "fs0201.provident"
and I got Internal Server Errors. Looking in the Apache
logs revealed that there was a problem communicating with
the Domain Controller. I found a reference to a similar
problem and the suggestion was to NOT use the suffix.
Hence, I removed the suffixes and it worked!

Furthermore, if you have problems getting to the domain
controllers, try adding them to "/etc/hosts". And, make
sure that your firewall is not blocking communication with
them.

Review

So the big points are to:

Download the correct version of mod_ntlm

Compile and install it and check the config files

Set up Apache, via the httpd.conf file, to require authentication where desired

Watch out for the little things! Like those suffixes on the domain controllers

If you want to test integration with Tomcat, then I assume you have
already set up Apache to forward requests to Tomcat with mod_jk.
(If not, there is a how to in the "Technology" section of this
site). Try the same as above as a .jsp instead. Replace the PHP
code with: